January 11, 2019updated 27 Mar 2019 11:25am

Unsecured MongoDB database leaves details from 200 million CVs exposed

By Ellen Daniel

A huge MongoDB database containing the personal details of millions of job seekers in China was left unprotected for at least a week, it has emerged.

The database, located on cross-platform document-oriented database programme MongoDB contained 730,434 records, totaling 854GB of data. This included highly sensitive information, such as full name, date of birth, phone number, email address, civil status as well as career-related information such as professional experience and job expectations.

Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof reported that the exposed data was discovered using a BinaryEdge search after it was left without password protection. It is unclear where the data originated from.

Diachenko also said that the log showed that at least a dozen IPs might have accessed the data before it was taken offline.

Although this may not be as extensive as the largest leak of 2018, the Marriott Hotel data breach in which the details of 500 million guests was exposed, it is still a substantial breach, made more worrying by the fact that it was not immediately secured after Diachenko tweeted about it.

An expert gives his view

Commenting on the news is Jonathan Deveaux, head of enterprise data protection for Comforte, believes that this highlights the fact that databases can be left exposed for long periods of time before anyone notices or acts:

“In the case of this data breach, or data exposure, the unprotected data was open and available for about a week, according to the report. Forensics from past data breaches have revealed that outside access to data was typically available for months, and sometimes years. Therefore, one might say that the owners of this database were ‘lucky’ that the data was only exposed for a week.”

What is most alarming about this data breach is that access to the database did not require a password or any other type of authentication, meaning anyone on the internet had potential access.

Deveaux believes that this highlight a potential flaw in how databases of this kind are constructed, with data protection often applied after they are compiled:

“Another interesting detail about this data exposure incident is that the personal information resided in a MongoDB database. A quick view of the MongoDB website states that it is a document database that is highly scalable and flexible. And it’s free and open source. Does technology that is free and open source mean its unsecured? No, but often data protection and privacy are applied after the initial objectives are met. This could mean that data is exposed and is unprotected for a while.”

He believes that this shows how organisations are not always thorough enough when ensuring data they hold is stored securely, even though doing so should be standard practice:

“It is the responsibility of the administrator of the database, and ultimately the organisation collecting and storing the data, to enact effective data protection and privacy methods. An 854GB cache of data with 200 million records initially doesn’t seem to be small, however, in the daily workload of an organisation, it is possible that securing this database may have been missed.

“No matter what the reason is behind this data exposure, this incident surely points out that any kind of data could be at risk at any given time. More must be done to consider data protection and privacy at the earliest point of entry into databases, files, and other stored areas, as to minimise exposures of all sizes.”

Verdict deals analysis methodology

This analysis considers only announced and completed artificial intelligence deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,